Company: Styra, the company behind Open Policy Agent (OPA) and pioneers in cloud-native authorization.
Company description: Styra is a privately-held, venture-backed company based in Redwood City, Calif. that was founded in 2015 and led by CEO Bill Mann.
Styra enables enterprises to define, enforce and monitor policy across their cloud-native environments. With a combination of open-source (Open Policy Agent) and commercial solutions (Declarative Authorization Service), Styra provides security, operations and compliance guardrails to protect applications, as well as the infrastructure on which they run. Styra policy-as-code solutions let developers, DevOps and security teams mitigate risks, reduce human error and accelerate application development. OPA was initially proven out at scale by the likes of Netflix, Capital One, Atlassian, Pinterest and others. Two years later, it has reached the point of over 1 million downloads per week.
Styra DAS, built on OPA, provides a single control plane for authorization both within applications and for the infrastructure they run upon. OPA and Styra DAS work together to solve typical entitlements/authorization problems for enterprises. For example, enterprise development teams typically build siloed policy in multiple places, use different languages to codify authorization, and have infrastructure policy that is typically unrelated to app policy. OPA and Styra DAS overcome these issues by providing developers with a common policy language, toolset and framework for policy across the cloud-native stack. OPA adds context-aware policy evaluation to tightly control exactly what the proxies allow or deny, and does so with the same policy language and tooling used for all authorization decisions. Styra DAS provides the authoring, distribution, impact analysis, monitoring and audit controls for that policy.
Developers, DevOps and platform engineering teams have proven OPA and Styra DAS in production to mitigate risk, reduce human error and accelerate application development in today’s dynamic multi-cloud world with Kubernetes, Envoy, Terraform, Kafka and more.
International operations: The company has support in Europe.
Products and Services
Styra Declarative Authorization Service (DAS) is the company’s turnkey enterprise security solution built on the recently Cloud Native Computing Foundation (CNCF) graduated open-source project OPA.
- Consistent, unified authorization logic across services: Styra DAS enables teams to remove custom logic from the app so developers can focus on more critical, differentiated features. Services don’t need to maintain awareness of requests or contain logic for evaluating access rules.
- Verify before enforcement with impact analysis: Styra DAS allows you to pre-run policies to see their impact before deployment. Compare changes against historical data, to see what would have been different if the updates had been made. Put rules into monitor-only mode to see where violations occur.
- Manage and distribute policy at scale: Styra DAS manages authorization policy across services and proxies with a single management and control plane. Policies are enforced locally, and updated centrally, for comprehensive compliance and security. Ensure authorization policy is enforced across services, without custom policy logic.
- Customizable, context-aware policies: Styra DAS lets DevOps and Development teams incorporate context from authentication tokens, the data being requested, the APIs making requests, and more to meet business requirements, and end brittleness.
- Rego Policy Builder provides a streamlined, graphical, purpose-built, point-and-click policy interface for OPA authorization rules. This visualization of policy-as-code enables DevOps, security and compliance teams to:
- Take advantage of the speed and security of OPA, without investing up-front time to learn all the details of Rego, its custom policy language.
- Speed development of sophisticated security, compliance and operational rules for modern cloud-native applications.
- More easily communicate across teams to prove that security is in place, and built as intended.
- Support for microservices and service mesh: With authorization for microservices, Styra DAS helps operationalize the service mesh by controlling what APIs can be executed on what services, both on ingress and egress. As companies increase deployments and software scales to customer demands, these controls are critical in ensuring cloud-native applications adhere to data privacy and compliance regulations, as well as risk mitigation.
- Support for mutating webhooks and pod security policies: Support for Kubernetes mutating webhooks enables Styra policies to go beyond “allow or deny,” to automatically append, update or add relevant parameters to ensure workloads are compliant before they reach production. Support for these Admission Controllers means Styra DAS can automatically remediate problems that would otherwise result in blocked workloads and manual review. The Pod security policies (PSP) pack extends the existing best practices and PCI DSS 3.2 policy packs, all of which eliminate the need to research, identify and implement baseline guardrails/policies for Kubernetes. With best-practice guardrails in place from the start, human error and missteps that delay projects, slow delivery and introduce risk are eliminated.
Insight and Analysis
The New Stack has an insightful article from November 2020 on OPAs by Steven J. Vaughan-Nichols, one of the industry’s best open-source software reporter/analysts. Highlights:
“Long, long before we were coding policy enforcement into our clouds, we tried to code it into our programs. Most of the answers we created were hard-coded, difficult to maintain, and nigh unto impossible to update. But, in 2016, Open Policy Agent (OPA, pronounced “oh-pa”) for cloud native environments was created, and policy enforcement in code became much more practical. Now, its developers, under their company, Styra, have announced a new three-tier product offering for Styra Declarative Authorization Service (DAS).”
“OPA is an open source, general-purpose policy engine that unifies policy enforcement across the stack. You write these policies in its high-level declarative language Rego, which, in turn, is based on the old Prolog-based Datalog query language. With Rego, you can specify policy as code and create simple APIs to offload policy decision-making from your software. You can then use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more.
“OPA has been used for creating Kubernetes access policies; setting up cloud security policies; Netflix uses OPA to control internal API resources access; Chef uses it to provide Identity and Access Management (IAM) capabilities in its end-user products.
“OPA is also a Cloud Native Computing Foundation (CNCF) incubator project. There it averages a rather amazing 1 million downloads a week.
“Styra’s not the only one singing its approach praises. According to the Gartner report, Market Guide for Compliance Automation Tools in DevOps, “As organizations migrate workloads to the cloud or move from virtualized to containerized environments, I&O leaders must evaluate existing tools that protect cloud and container-based infrastructure. These tools enable enforcing infrastructure compliance policies to minimize configuration-related risks. Opportunities exist for the orchestration of policies over distinct agile infrastructure environments. Specifically, the OPA open source initiative has started to emerge as a source for an ecosystem of startups building enterprise capabilities over OPA.”
“You can see for yourself what’s all the fuss is about with the new DAS Free. This is a completely free, self-service option for up to two clusters or 10 nodes to streamline the adoption process. For teams with larger production scale needs, DAS Pro offers a clear and transparent pricing model, for up to 50 nodes, to protect and manage Kubernetes clusters as they grow from initial testing/deployment to full production environments. Finally, DAS Enterprise gives teams unlimited OPA deployments and rules with around the clock support. Regardless of the version, all have access to the same management plane, policy libraries, impact analysis, monitoring, and decision logging.
“These new editions will benefit any number of teams beginning their Kubernetes journey,” said Tim Hinrichs, co-creator of OPA and Styra’s CTO. “It will also help platform engineers new to OPA who want to deploy community best practices immediately without custom coding. Ultimately, this will help lessen the burden for anyone who needs to monitor, validate and test Kubernetes admission control with OPA.”
List of current customers: Frontdoor, SugarCRM
Other key players in this market: Aqua, Sysdig, StackRox, Tigera, Oso Security, Magalix, PlainID (Note: Styra is the only solution to define, enforce and monitor policy rules before runtime)
Delivery: SaaS or on-premises
Styra offers a three-tier product offering for Styra Declarative Authorization Service (DAS). The DAS Free, DAS Pro and DAS Enterprise editions give teams of any size and stage a budget-friendly and fast option to operationalize OPA at scale for Kubernetes. Platform engineers and teams can now deploy DAS in just minutes and have access to more than 100 built-in policies, as well as full enterprise-grade monitoring, impact analysis and decision logging. These new offerings enable a self-service experience and eliminate the need for learning and custom coding OPA policies for Kubernetes admission control.
Platform engineers are able to get started with DAS Free, a completely free, self-service option for up to two clusters or 10 nodes to streamline the adoption process. For teams with larger production scale needs, DAS Pro offers a clear and transparent pricing model, for up to 50 nodes, to protect and manage Kubernetes clusters as they grow from initial testing/deployment to full production environments. DAS Enterprise gives teams an edition that supports unlimited OPA deployments and rules with around the clock support.
Customers of Styra DAS Free (free), Pro ($70 per node per month) and Enterprise (contact for demo and pricing) all have access to the same management plane, policy libraries, impact analysis, monitoring and decision logging.
Contact information for potential customers: https://www.styra.com/
Request a demo: https://registration.styra.com/requestademo
Also available via Amazon Marketplace.
eWEEK is building an IT products and services section that encompasses most of the categories that we cover on our site. In it, we will spotlight the leaders in each sector, which include enterprise software, hardware, security, on-premises-based systems and cloud services. We also will add promising new companies as they come into the market.